fix(deps): update module github.com/containerd/containerd/v2 to v2.0.7 [security] (alauda-3.18.6)

[alaudaa-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/containerd/containerd/v2	v2.0.0 -> v2.0.7

---

containerd has an integer overflow in User ID handling

CVE-2024-40635 / GHSA-265r-hfxg-fhmg / GO-2025-3528

More information

Details

Impact

A bug was found in containerd where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.0.4 (Fixed in containerd/containerd@1a43cb6)
• 1.7.27 (Fixed in containerd/containerd@05044ec)
• 1.6.38 (Fixed in containerd/containerd@cf158e8)

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank Benjamin Koltermann and emxll for responsibly disclosing this issue in accordance with the containerd security policy.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

Severity

• CVSS Score: 4.6 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

References

• https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
• https://nvd.nist.gov/vuln/detail/CVE-2024-40635
• https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da
• https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
• https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a
• https://github.com/containerd/containerd
• https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

containerd has an integer overflow in User ID handling in github.com/containerd/containerd

CVE-2024-40635 / GHSA-265r-hfxg-fhmg / GO-2025-3528

More information

Details

containerd has an integer overflow in User ID handling in github.com/containerd/containerd

Severity

Unknown

References

• https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
• https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da
• https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
• https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

containerd CRI server: Host memory exhaustion through Attach goroutine leak

CVE-2025-64329 / GHSA-m6hq-p25p-ffr2 / GO-2025-4108

More information

Details

Impact

A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.

Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.

Patches

This bug has been fixed in the following containerd versions:

• 2.2.0
• 2.1.5
• 2.0.7
• 1.7.29

Users should update to these versions to resolve the issue.

Workarounds

Set up an admission controller to control accesses to pods/attach resources.
e.g., Validating Admission Policy.

Credits

The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2
• https://nvd.nist.gov/vuln/detail/CVE-2025-64329
• https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df
• https://github.com/containerd/containerd

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd

CVE-2024-25621 / GHSA-pwhc-rpq9-4c8w / GO-2025-4100

More information

Details

containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd

Severity

Unknown

References

• https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w
• https://nvd.nist.gov/vuln/detail/CVE-2024-25621
• https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5
• https://github.com/containerd/containerd/blob/main/docs/rootless.md

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd

CVE-2025-64329 / GHSA-m6hq-p25p-ffr2 / GO-2025-4108

More information

Details

containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd

Severity

Unknown

References

• https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2
• https://nvd.nist.gov/vuln/detail/CVE-2025-64329
• https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

containerd affected by a local privilege escalation via wide permissions on CRI directory

CVE-2024-25621 / GHSA-pwhc-rpq9-4c8w / GO-2025-4100

More information

Details

Impact

An overly broad default permission vulnerability was found in containerd.

• /var/lib/containerd was created with the permission bits 0o711, while it should be created with 0o700
  • Allowed local users on the host to potentially access the metadata store and the content store
• /run/containerd/io.containerd.grpc.v1.cri was created with 0o755, while it should be created with 0o700
  • Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
• /run/containerd/io.containerd.sandbox.controller.v1.shim was created with 0o711, while it should be created with 0o700

The directory paths may differ depending on the daemon configuration.
When the temp directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.

Patches

This bug has been fixed in the following containerd versions:

• 2.2.0
• 2.1.5
• 2.0.7
• 1.7.29

Users should update to these versions to resolve the issue.
These updates automatically change the permissions of the existing directories.

[!NOTE]

/run/containerd and /run/containerd/io.containerd.runtime.v2.task are still created with 0o711.
This is an expected behavior for supporting userns-remapped containers.

Workarounds

The system administrator on the host can manually chmod the directories to not
have group or world accessible permisisons:

chmod 700 /var/lib/containerd
chmod 700 /run/containerd/io.containerd.grpc.v1.cri
chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim

An alternative mitigation would be to run containerd in rootless mode.

Credits

The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the containerd security policy.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w
• https://nvd.nist.gov/vuln/detail/CVE-2024-25621
• https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5
• https://github.com/containerd/containerd
• https://github.com/containerd/containerd/blob/main/docs/rootless.md

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

containerd/containerd (github.com/containerd/containerd/v2)

v2.0.7: containerd 2.0.7

Compare Source

Welcome to the v2.0.7 release of containerd!

The seventh patch release for containerd 2.0 includes various bug fixes and updates.

Security Updates

• containerd

  • GHSA-pwhc-rpq9-4c8w
  • GHSA-m6hq-p25p-ffr2

• runc

  • GHSA-qw9x-cqr3-wc7r
  • GHSA-cgrx-mc8f-2prm
  • GHSA-9493-h29p-rfm2

Highlights

Container Runtime Interface (CRI)

• Disable event subscriber during task cleanup (#​12406)
• Add SystemdCgroup to default runtime options (#​12254)
• Fix userns with container image VOLUME mounts that need copy (#​12241)

Image Distribution

• Add dial timeout field to hosts toml configuration (#​12136)

Runtime

• Update runc binary to v1.3.3 (#​12479)
• Fix lost container logs from quickly closing io (#​12376)
• Create bootstrap.json with 0644 permission (#​12184)
• Fix pidfd leak in UnshareAfterEnterUserns (#​12178)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Austin Vazquez
• Phil Estes
• Rodrigo Campos
• Wei Fu
• Akihiro Suda
• Derek McGowan
• Maksym Pavlenko
• ningmingxiao
• Kirtana Ashok
• Akhil Mohan
• Andrew Halaney
• Jin Dong
• Jose Fernandez
• Mike Baynton
• Philip Laine
• Swagat Bora
• wheat2018

Changes

56 commits

• Prepare release notes for v2.0.7 (#​12482)
  • 4931e24f1 Prepare release notes for v2.0.7
  • 205bc4f2d Update mailmap
  • 5f708b76a Merge commit from fork
  • 8cd112d82 Fix directory permissions
  • 05290b5bc Merge commit from fork
  • 4d1edf4ad fix goroutine leak of container Attach
• Update runc binary to v1.3.3 (#​12479)
  • b46dc6a67 runc: Update runc binary to v1.3.3
• ci: bump Go 1.24.9; 1.25.3 (#​12361)
  • 5e9c82178 Update GHA runners to use latest images for basic binaries build
  • 7f59248dc Update GHA runners to use latest image for most jobs
  • e1373e8a8 ci: bump Go 1.24.9, 1.25.3
  • e1a910a6a ci: bump Go 1.24.8; 1.25.2
  • fd04b7f17 move exclude-dirs to issues.exclude-dirs
  • b49377975 update golangci-lint to v1.64.2
  • 6e45022a1 build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
  • 09ce0f2a1 build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
  • de63a740b build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
• Fix lost container logs from quickly closing io (#​12376)
  • f953ee8a3 bugfix:fix container logs lost because io close too quickly
• CI: update Fedora to 43 (#​12448)
  • f6f15f513 CI: update Fedora to 43
• Disable event subscriber during task cleanup (#​12406)
  • 2a2329cbd cri/server/podsandbox: disable event subscriber
• CI: skip ubuntu-24.04-arm on private repos (#​12428)
  • dfb954743 CI: skip ubuntu-24.04-arm on private repos
• Remove additional fuzzers from instrumentation repo (#​12420)
  • f6b02f6bb Remove additional fuzzers from CI
• runc:Update runc binary to v1.3.1 (#​12275)
  • 75c13ee3f runc:Update runc binary to v1.3.1
• Add SystemdCgroup to default runtime options (#​12254)
  • 427cdd06c add SystemdCgroup to default runtime options
• install-runhcs-shim: fetch target commit instead of tags (#​12255)
  • 0b35e19fb install-runhcs-shim: fetch target commit instead of tags
• Fix userns with container image VOLUME mounts that need copy (#​12241)
  • 3212afc2f integration: Add test for directives with userns
  • b855c6e10 cri: Fix userns with Dockerfile VOLUME mounts that need copy
• Fix overlayfs issues related to user namespace (#​12223)
  • 05c0c99f4 core/mount: Retry unmounting idmapped directories
  • afdede4ce core/mount: Test cleanup of DoPrepareIDMappedOverlay()
  • 47205f814 core/mount: Properly cleanup on doPrepareIDMappedOverlay errors
  • 6f4abd970 core/mount: Don't call nil function on errors
  • a2f0d65d7 core/mount: Only idmap once per overlayfs, not per layer
  • 1c32accd7 Make ovl idmap mounts read-only
• ci: bump Go 1.23.12, 1.24.6 (#​12187)
  • 9e72e91e6 ci: bump Go 1.23.12, 1.24.6
• Create bootstrap.json with 0644 permission (#​12184)
  • 009622e04 fix: create bootstrap.json with 0644 permission
• Fix pidfd leak in UnshareAfterEnterUserns (#​12178)
  • 5bec0a332 sys: fix pidfd leak in UnshareAfterEnterUserns
• Fix windows test failures (#​12120)
  • 2a2488131 Fix intermittent test failures on Windows CIs
  • 018470948 Remove WS2025 from CIs due to regression
• Add dial timeout field to hosts toml configuration (#​12136)
  • b50cbbc98 Add dial timeout field to hosts toml configuration

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.0.6

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.0.6: containerd 2.0.6

Compare Source

Welcome to the v2.0.6 release of containerd!

The sixth patch release for containerd 2.0 includes various bug fixes and updates.

Highlights

• Update containerd config dump to reflect plugin config migrations (#​11772)

Container Runtime Interface (CRI)

• Fix containerd panic when sandbox extension is missing (#​12077)
• Fix the panic caused by the failure of RunPodSandbox (#​12047)
• Add extension to sandbox metadata store on create sandbox (#​11808)
• Fix issue where Prometheus metric names changed for CRI (#​11750)
• Fix issue preventing some v2 shims from shutting down properly (#​11741)

Go client

• Fix lazy gRPC connection mode waiting for connect on client creation (#​12080)

Image Distribution

• Fix cross-repo mount fallback after authorization failure (#​11832)

Runtime

• Fix container io to close after runtime create failure (#​12051)
• Fix incompatibility with some pre-v3 shims (#​11973)
• Update runc binary to v1.3.0 (#​11801)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Austin Vazquez
• Wei Fu
• Akihiro Suda
• Maksym Pavlenko
• Samuel Karp
• Yang Yang
• Akhil Mohan
• ningmingxiao
• Alberto Garcia Hierro
• Chris Henzie
• HirazawaUi
• Jin Dong
• Kirtana Ashok
• Paweł Gronowski
• Vinayak Goyal

Changes

49 commits

• Prepare release notes for v2.0.6 (#​12145)
  • d94b0fee6 Prepare release notes for v2.0.6
• ci: bump Go 1.23.11, 1.24.5 (#​12116)
  • f901e3c81 ci: bump Go 1.23.11, 1.24.5
• go.mod: golang.org/x/* latest (#​12097)
  • 7e4ac4761 go.mod: golang.org/x/* latest
• Fix lazy gRPC connection mode waiting for connect on client creation (#​12080)
  • bed6d1401 client/New: Don't unlazy the gRPC connection implicitly
• Fix containerd panic when sandbox extension is missing (#​12077)
  • 8094fa21a cri:fix containerd panic when can't find sandbox extension
• Fix container io to close after runtime create failure (#​12051)
  • 552f717be bugfix:close container io when runtime create failed
• Fix the panic caused by the failure of RunPodSandbox (#​12047)
  • c4394d05a Fix the panic caused by the failure of RunPodSandbox
• ci: bump golang [1.23.10, 1.24.4] in build and release (#​11969)
  • 54f923a30 ci: bump golang [1.23.10, 1.24.4] in build and release
  • 2de777dfe ci: bump golang [1.23.9, 1.24.3] in build and release
• Enable CIs to run on WS2022 and WS2025 (#​11970)
  • 9724cd5ea Enable CIs to run on WS2022 and WS2025
• Fix incompatibility with some pre-v3 shims (#​11973)
  • 7fc3151fc *: properly shutdown non-groupable shims to prevent resource leaks
  • 4396336a1 core/runtime: should invoke shim binary
  • 10bcc6929 Revert "not set sandbox id when use podsandbox type"
  • f38eb62b6 integration: add testcase to recover ungroupable shim
  • 2358561d5 Update release upgrade tests to test 1.7 and 2.0
  • 8931b1464 Fix upgrade test runtime config
• Fetch image with default platform only in TestExportAndImportMultiLayer (#​11944)
  • fc9235910 Fetch image with default platform only in TestExportAndImportMultiLayer
• Add extension to sandbox metadata store on create sandbox (#​11808)
  • f8679737e store extension when create sandbox in store
• Fix cross-repo mount fallback after authorization failure (#​11832)
  • cbfa66223 fix(docker pusher): if authorizing a cross-repo mount fails, fall back
• .github: do not mark 2.0 releases as latest (#​11820)
  • 7bf4d0a40 .github: do not mark 2.0 releases as latest
• Update runc binary to v1.3.0 (#​11801)
  • fa5a08244 Update runc binary to v1.3.0
• Revert "disable portmap test in ubuntu-22 to make CI happy" (#​11784)
  • 7cf3c604e fix unbound SKIP_TEST variable error
  • 827be7c9d Revert "disable portmap test in ubuntu-22 to make CI happy"
• Update containerd config dump to reflect plugin config migrations (#​11772)
  • 626a57dd7 fix: update containerd config dump to reflect plugin config migrations.
• core/transfer/local: should not mark completed if it's not found (#​11768)
  • 983dd336f core/transfer/local: should not mark complete if it's not found
• Fix issue where Prometheus metric names changed for CRI (#​11750)
  • d2a30ea0c Revert criserver metrics subsystem back to cri
• Fix issue preventing some v2 shims from shutting down properly (#​11741)
  • e9804ee0e not set sandbox id when use podsandbox type
• [CI] Fix vagrant (#​11740)
  • 9ddeff7f7 Fix vagrant setup

Dependency Changes

• golang.org/x/crypto v0.36.0 -> v0.40.0
• golang.org/x/exp aacd6d4 -> 6ae5c78
• golang.org/x/mod v0.21.0 -> v0.26.0
• golang.org/x/net v0.37.0 -> v0.42.0
• golang.org/x/oauth2 v0.28.0 -> v0.30.0
• golang.org/x/sync v0.12.0 -> v0.16.0
• golang.org/x/sys v0.31.0 -> v0.34.0
• golang.org/x/term v0.30.0 -> v0.33.0
• golang.org/x/text v0.23.0 -> v0.27.0
• golang.org/x/time v0.3.0 -> v0.12.0

Previous release can be found at v2.0.5

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.0.5: containerd 2.0.5

Compare Source

Welcome to the v2.0.5 release of containerd!

The fifth patch release for containerd 2.0 includes various bug fixes and updates.

Highlights

Build and Release Toolchain

• Update go to 1.23.8 (#​11717)

Container Runtime Interface (CRI)

• Update ImageService to delete images synchronously (#​11599)

Image Distribution

• Prevent panic on zero length push (#​11698)
• Set default differ for the default unpack config of transfer service (#​11688)

Runtime

• Remove invalid error log when stopping container after containerd restart (#​11621)
• Update taskOptions based on runtimeOptions when creating a task (#​11618)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Akhil Mohan
• Derek McGowan
• Phil Estes
• Wei Fu
• Iceber Gu
• Austin Vazquez
• Maksym Pavlenko
• Cesar Talledo
• Henry Wang
• Jin Dong
• Krisztian Litkey
• Yang Yang

Changes

33 commits

• Update go to 1.23.8 (#​11717)
  • 5bcf0a95e use go1.23.8 as the default go version
  • 4838f33f7 update to go 1.24.2, 1.23.8
• Prepare release notes for v2.0.5 (#​11713)
  • a8082cd60 Prepare release notes for v2.0.5
• Disable criu test on arm64 (#​11710)
  • 58b715ad8 Disable arm64 criu testing in GH Actions
  • b4a53e826 disable portmap test in ubuntu-22 to make CI happy
  • 4bcf472de add option to skip tests in critest
• Prevent panic on zero length push (#​11698)
  • 8a638b71a Prevent panic in Docker pusher.
• Set default differ for the default unpack config of transfer service (#​11688)
  • 84d9658c3 Set default differ for the default unpack config of transfer service
• ci: update GitHub Actions release runner to ubuntu-24.04 (#​11703)
  • b184a97d3 ci: update GitHub Actions release runner to ubuntu-24.04
• Remove invalid error log when stopping container after containerd restart (#​11621)
  • e04543db0 use shimCtx for fifo copy
• Update taskOptions based on runtimeOptions when creating a task (#​11618)
  • 9f46e7a44 integration/client: add tests for TaskOptions is not empty
  • 8a16a6a04 prefer task options for PluginInfo request
  • a183b2d23 update taskOptions based on runtimeOptions when creating a task
• Update ImageService to delete images synchronously (#​11599)
  • 091143135 *: CRIImageService should delete image synchronously
• Update runc binary to v1.2.6 (#​11583)
  • c2372c072 Update runc binary to v1.2.6
• go.{mod,sum}: bump CDI deps to stable v1.0.0. (#​11566)
  • e8506511b go.{mod,sum}: bump CDI deps to stable v1.0.0.
• silence govulncheck false positives (#​11571)
  • 4cfb89430 go.mod: github.com/go-jose/go-jose/v4
  • 2b9e6a29d go.mod: golang.org/x/oauth2 v0.28.0
  • 6df1ea0d9 go.mod: golang.org/x/net v0.37.0
• Fix CI lint error (cherry-picked #​11555) (#​11567)
  • 16f20abdf Fix CI lint error

Dependency Changes

• github.com/go-jose/go-jose/v4 v4.0.4 -> v4.0.5
• golang.org/x/crypto v0.31.0 -> v0.36.0
• golang.org/x/net v0.33.0 -> v0.37.0
• golang.org/x/oauth2 v0.23.0 -> v0.28.0
• golang.org/x/sync v0.10.0 -> v0.12.0
• golang.org/x/sys v0.28.0 -> v0.31.0
• golang.org/x/term v0.27.0 -> v0.30.0
• golang.org/x/text v0.21.0 -> v0.23.0
• tags.cncf.io/container-device-interface v0.8.1 -> v1.0.0
• tags.cncf.io/container-device-interface/specs-go v0.8.0 -> v1.0.0

Previous release can be found at v2.0.4

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.0.4: containerd 2.0.4

Compare Source

Welcome to the v2.0.4 release of containerd!

The fourth patch release for containerd 2.0 includes various bug fixes and updates.

Highlights

• Fix integer overflow in User ID handling (GHSA-265r-hfxg-fhmg)
• Respect client.WithTimeout option on connect (#​11536)
• Update image type checks to avoid unnecessary logs for attestations (#​11537)

Node Resource Interface (NRI)

• Fix incorrect runtime name being passed to NRI (#​11529)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Paweł Gronowski
• Akhil Mohan
• Phil Estes
• Samuel Karp
• Craig Ingram
• ningmingxiao

Changes

19 commits

• 1a43cb6a1 Merge commit from fork
• 07a0b5419 (cherry picked from commit de1341c)
• Prepare release notes for v2.0.4 (#​11541)
  • 06a886a8e Prepare release notes for v2.0.4
• Respect client.WithTimeout option on connect (#​11536)
  • 6b5efba83 client: Respect client.WithTimeout option
• Update image type checks to avoid unnecessary logs for attestations (#​11537)
  • 916d48722 core/remotes: Handle attestations in MakeRefKey
  • df4d905a6 core/images: Ignore attestations when traversing children
• Fix incorrect runtime name being passed to NRI (#​11529)
  • 4f037050c add name in package version
• update build to go1.23.7, test go1.24.1 (#​11514)
  • e5ad0d0a0 update build to go1.23.7, test go1.24.1
• docs: include note about unprivileged sysctls (#​11506)
  • a39f1146b docs: include note about unprivileged sysctls
• e2e: use the shim bundled with containerd artifact (#​11503)
  • 81b3384a0 e2e: use the shim bundled with containerd artifact
• build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1 (#​11497)
  • 7215a7d2c build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.0.3

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.0.3: containerd 2.0.3

Compare Source

Welcome to the v2.0.3 release of containerd!

The third patch release for containerd 2.0 includes various bug fixes and updates.

Highlights

• Update remote content to break up writes to avoid grpc message size limits (#​11457)
• Update runc binary to v1.2.5 (#​11394)

Container Runtime Interface (CRI)

• Fix privileged container sysfs can't be rw because pod is ro by default (#​11456)
• Fix recursive RLock() mutex acquisition (containerd/go-cni#126)

Node Resource Interface (NRI)

• Fix initial sync race when registering NRI plugins (#​11329)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Mike Brown
• Phil Estes
• Akhil Mohan
• Chifeng Cai
• Krisztian Litkey
• Wei Fu
• Andrey Smirnov
• Austin Vazquez
• Chris Henzie
• Jing Xu
• Jonathan A. Sternberg
• Jose Fernandez
• Kirtana Ashok
• Lei Liu
• Maksym Pavlenko
• Michael Zappa
• Samuel Karp
• fengwei0328
• zounengren

Changes

42 commits

• Prepare release notes for v2.0.3 (#​11443)
  • b8dde9189 Prepare release notes for v2.0.3
• Update remote content to break up writes to avoid grpc message size limits (#​11457)
  • eaa7ca80d proxy: break up writes from the remote writer to avoid grpc limits
• Fix privileged container sysfs can't be rw because pod is ro by default (#​11456)
  • c7f64196f Fix privileged container sysfs can't be rw because pod is ro by default
• go.{mod,sum}: bump CDI deps to v.0.8.1. (#​11430)
  • 92ae2951f Update CDI dependency to v0.8.1.
• Prefer runtime options for PluginInfo request (#​11446)
  • 569af34cb Prefer runtime options for PluginInfo request
• pkg: prevent oom watcher from depending on shim pkg (#​11439)
  • 0ce93e16a prevent oom watcher depend on shim pkg.
• CI: arm64-8core-32gb -> ubuntu-24.04-arm (#​11436)
  • f3284aa68 CI: arm64-8core-32gb -> ubuntu-24.04-arm
• Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG" (#​11403)
  • b5313993c Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG"
• move the device after the options when using mkfs.ext4 (#​11411)
  • f95a426b8 move the device after the options when using mkfs.ext4
• update build to go1.23.6, test go1.24.0 (#​11410)
  • 4d19a6adf update build to go1.23.6, test go1.24.0
• build(deps): bump actions/cache from 4.1.2 to 4.2.0 (#​11405)
  • c738c3aab build(deps): bump actions/cache from 4.1.2 to 4.2.0
• Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 (#​11387)
  • fcf64305c Update vendor files to fix build failure
  • d3437eb29 Upgrade x/net to 0.33.0
• Update install-imgcrypt to allow change install repo (#​11357)
  • 0785bd8cc Update install-imgcrypt to allow change install repo
• Update runc binary to v1.2.5 (#​11394)
  • 697c59c63 Update runc binary to v1.2.5
• Update go-cni version to fix Race Condition issue (#​11269)
  • 06891f899 fix go-cni race condition
• Fix initial sync race when registering NRI plugins (#​11329)
  • 79cdbf61b cri,nri: block NRI plugin sync. during event processing.
• Update github.com/containerd/imgcrypt to v2.0.0 (#​11325)
  • 9d5cfce83 Update github.com/containerd/imgcrypt to v2.0.0
• Move CDI device spec out of the OCI package (#​11265)
  • f58939c33 Remove deprecated WithCDIDevices in oci spec opts
  • 3d53430fe Move CDI device spec out of the OCI package
• update to go1.23.5 / go1.22.11 (#​11297)
  • 1f4e5688e update to go1.23.5 / go1.22.11
• build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 (#​11263)
  • [3a6ab80d0](https://redirect.github.com/containerd/containerd/commit/3a6ab80d0

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.